Bookmark

OpenURL

Abstract

decentralized information flow control (DIFC) can secure applications built from mostly untrusted code. This paper extends DIFC to the network. We present DStar, a system that enforces the security requirements of mutually distrustful components through cryptography on the network and local OS protection mechanisms on each host. DStar does not require any fully-trusted processes or machines, and is carefully constructed to avoid covert channels inherent in its interface. We use DStar to build a three-tiered web server that mitigates the effects of untrustworthy applications and compromised machines. 1

Citations

...s to fine-grained objects such as files or threads. 15 A number of systems, including Taos [23] and Amoeba [19], enforce discretionary access control in a distributed system, often using certificates =-=[3]-=-. None of them can control information flow, as a malicious program can always synthesize capabilities or certificates to contact a colluding server. The Taos speaks-for relation inspired the much sim...

... the HTTPS front end would prevent it from sending tax forms back to a client web browser over a network device with a low label. The big difference between DIFC and more traditional information flow =-=[8]-=- is that DIFC decentralizes the privilege of bypassing “can flow to” restrictions. Each process P has a set of privileges OP allowing it to omit particular restrictions when sending or receiving messa...

...d a number of difficult issues addressed by DStar, such as determining when it is safe to connect to a given host at runtime, when it is safe to allocate resources like memory, and bootstrapping. Jif =-=[16]-=- provides decentralized information flow control in a Java-like language. Although its label model differs from DStar’s, a subset of Jif labels can be expressed by DStar. DStar could provide more fine...

...s, making it impractical to track each user’s data. DStar running on HiStar can apply policies to fine-grained objects such as files or threads. 15 A number of systems, including Taos [23] and Amoeba =-=[19]-=-, enforce discretionary access control in a distributed system, often using certificates [3]. None of them can control information flow, as a malicious program can always synthesize capabilities or ce...

...ses. DStar could be used to connect multiple Flume clusters together without any inherent centralized trust or scalability bottlenecks. Capability-based operating systems, such as KeyKOS [4] and EROS =-=[17]-=-, can provide strict program isolation on a single machine. A DStar exporter could control information flow on a capability-based operating system by ensuring that processes with different labels had ...

...d in order to distribute this web server over multiple machines. Side-channel attacks, such as [1], might allow recovery of the private key; OpenSSL uses RSA blinding to defeat timing attacks such as =-=[5]-=-. To prevent an attacker from observing intermediate states of CPU caches while handling the private key, RSAd starts RSA operations at the beginning of a 10 msec scheduler quantum (each 1024-bit RSA ...

... virtual machines, making it impractical to track each user’s data. DStar running on HiStar can apply policies to fine-grained objects such as files or threads. 15 A number of systems, including Taos =-=[23]-=- and Amoeba [19], enforce discretionary access control in a distributed system, often using certificates [3]. None of them can control information flow, as a malicious program can always synthesize ca...

...i alone. The current bootstrap procedure is tedious, requiring the manual transfer of category names and public keys. In the future, we envisage a setup utility that uses a password protocol like SRP =-=[24]-=- to achieve mutual authentication with an installation daemon, to automate the process. Alternatively, hardware attestation, such as TCPA, could be used to vouch that a given machine is running HiStar...

...tax forms [20]. If we cannot improve the quality of software, an alternative is to design systems that remain secure despite untrustworthy code. Recent operating systems such as Asbestos [21], HiStar =-=[26]-=-, and Flume [12] have shown this can be achieved through decentralized information flow control (DIFC). Consider again the PayMaxx example, which runs untrustworthy application code for each user to g...

...obey information flow restrictions). The client library, trusted by individual processes to talk to the exporter, is 1,500 lines of C and C++ code. The exporter uses the libasync event-driven library =-=[13]-=- for network I/O and cryptography, and libc and libstdc++, which dwarf it in terms of code size. 5 APPLICATIONS To illustrate how DStar helps build secure distributed systems, we focus on two scenario...

...If we cannot improve the quality of software, an alternative is to design systems that remain secure despite untrustworthy code. Recent operating systems such as Asbestos [21], HiStar [26], and Flume =-=[12]-=- have shown this can be achieved through decentralized information flow control (DIFC). Consider again the PayMaxx example, which runs untrustworthy application code for each user to generate a tax fo...

...he same network. While the present level of trust in the network suffices for many applications,sin the future we intend to integrate DStar with network switches that can better conceal communication =-=[6]-=-. Exporters currently distribute address certificates by periodically broadcasting them to the local-area network. Certificate expiration times allow IP address reuse. After expiration, other exporter...

...bel. This can be done either with support from the network, or by explicitly forwarding messages through a proxy trusted to maintain the labels of machines it is proxying. Secure program partitioning =-=[25]-=- partitions a single program into sub-programs that run on a set of machines specified at compile time with varying trust, to uphold an overall information flow policy. DStar is complementary, providi...

...hine compromises. DStar could be used to connect multiple Flume clusters together without any inherent centralized trust or scalability bottlenecks. Capability-based operating systems, such as KeyKOS =-=[4]-=- and EROS [17], can provide strict program isolation on a single machine. A DStar exporter could control information flow on a capability-based operating system by ensuring that processes with differe...

...This property greatly facilitates interaction between mutually distrustful components, one of the keys to preserving security in the face of untrustworthy code. By contrast, military systems, such as =-=[22]-=-, have also long controlled information flow, but using mechanisms only available to privileged administrators, not application programmers. Similarly, administrators can already control information f...

...wer performance. The DStar exporter and client library illustrate the additional code that must be trusted in order to distribute this web server over multiple machines. Side-channel attacks, such as =-=[1]-=-, might allow recovery of the private key; OpenSSL uses RSA blinding to defeat timing attacks such as [5]. To prevent an attacker from observing intermediate states of CPU caches while handling the pr...

...yMaxx users’ tax forms [20]. If we cannot improve the quality of software, an alternative is to design systems that remain secure despite untrustworthy code. Recent operating systems such as Asbestos =-=[21]-=-, HiStar [26], and Flume [12] have shown this can be achieved through decentralized information flow control (DIFC). Consider again the PayMaxx example, which runs untrustworthy application code for e...

...pressed by DStar. DStar could provide more fine-grained information flow tracking by enforcing it with a programming language like Jif rather than with an operating system. Jaeger et al [11] and KDLM =-=[7]-=- associate encryption keys with SELinux and Jif labels, respectively, and exchange local security mechanisms for encryption, much like DStar. These approaches assume the presence of an external mechan...

...mmunicating with other processes running on the same machine: segments and gates. Communicating via a segment resembles shared memory: it involves writing the message to the segment and using a futex =-=[10]-=- to wake up processes waiting for a message in that segment. Communication over a gate involves writing the message to a new segment, and then allocating a new thread, which in turn invokes the gate, ...

...operating system by ensuring that processes with different labels had no shared capabilities other than the exporter itself, and therefore could not communicate without the exporter’s consent. Shamon =-=[14]-=- is a distributed mandatory access control system that controls information flow between virtual machines using a shared reference monitor. DStar avoids any centralized reference monitor for security ...

...bels can be expressed by DStar. DStar could provide more fine-grained information flow tracking by enforcing it with a programming language like Jif rather than with an operating system. Jaeger et al =-=[11]-=- and KDLM [7] associate encryption keys with SELinux and Jif labels, respectively, and exchange local security mechanisms for encryption, much like DStar. These approaches assume the presence of an ex...

...g server. The Taos speaks-for relation inspired the much simpler DStar trusts relation, used to define discretionary privileges for different categories between exporters. Multi-level secure networks =-=[2, 9, 15, 18]-=- enforce information flow control in a trusted network, but provide very coarse-grained trust partitioning. By comparison, DStar functions even in an untrusted network such as the Internet, at the cos...

...g server. The Taos speaks-for relation inspired the much simpler DStar trusts relation, used to define discretionary privileges for different categories between exporters. Multi-level secure networks =-=[2, 9, 15, 18]-=- enforce information flow control in a trusted network, but provide very coarse-grained trust partitioning. By comparison, DStar functions even in an untrusted network such as the Internet, at the cos...

...g server. The Taos speaks-for relation inspired the much simpler DStar trusts relation, used to define discretionary privileges for different categories between exporters. Multi-level secure networks =-=[2, 9, 15, 18]-=- enforce information flow control in a trusted network, but provide very coarse-grained trust partitioning. By comparison, DStar functions even in an untrusted network such as the Internet, at the cos...

...g server. The Taos speaks-for relation inspired the much simpler DStar trusts relation, used to define discretionary privileges for different categories between exporters. Multi-level secure networks =-=[2, 9, 15, 18]-=- enforce information flow control in a trusted network, but provide very coarse-grained trust partitioning. By comparison, DStar functions even in an untrusted network such as the Internet, at the cos...